Gameboy Color boot ROM

It’s only been a week since the Super Gameboy’s boot ROM was dumped by [Costis] and he’s already at it again. This time he’s managed to grab the Gameboy Color’s boot ROM. He found the newer Gameboy Color’s hardware is able to cope with a clock speed up to 100MHz, so the original clock increase trick he used on the Super Gameboy wouldn’t work again.

Instead he discovered a quick disconnection of clock and power before 0xFF50 would make the Gameboy jump to a random area within the ROM. Then it was only a matter of entropy, luck, and some special NOP instructions until eventually he had the boot ROM. Keep up the good work [Costis].

33 thoughts on “Gameboy Color boot ROM”

“Nobody means to be rude when then ask “where do you find the time?” or they say “you have too much time on your hands!”. I understand they mean “wow, that must have taken a long time”. I do find it strange that people can spend an entire weekend watching television (sports, dramas, reality shows) and nobody asks or says the same thing. It’s almost as if our culture has begun to look down on the concept of putting forth effort.”

How about smoking pot and studying botany allowing you to grow more pot which you could then smoke and then study biology which would enable you to grow more pot then you could smoke that pot and study microcontrollers and design an automated garden further freeing up more time to smoke pot and play video games.

this is really cool and a lot of work but why work with the SGB/GBC why not the GBA or DS? ive seen amazing hacks done with the GBC already but i mean the GBC is a pretty limited handheld… imagine what could be done with more powerful handhelds…..

For those who feel the need to ask why…it’s simple. You first need to have the boot ROM code figured out before you can begin to do the really cool stuff like put a Linux or other custom OS on. there are other things you can do once you have broken that code open as well…like make custom ones to replace it, that will give expanded/new functionality. A tremendous hack and well done.

The Boot ROM in the GBA and NDS is easier to dump becasue it isn’t locked for the code on the card. In fact.

Those dumps are usefull in the way that they can make the emulators boot just like the original hardware. This will give the user more of the feeling of actually playing on real hardware. In addition, it will help the emulator developers to intergrate support for the unknown I/O feautres of the GBC.

Some sources states that there is actually a third ROM area inside the GBC CPU dice, at the size of 512 bytes, but that migth just be for decoding purposes (like the IBM PC/XT uses a small piece of ROM [U44] to decode what bank of memory is being addressed).

Want the answer? Here’s the answer: All current Game Boy emulators may run “just fine” to the ignorant folks who just use emulators for L33T FR33 G4M3Z!!111!1one, but for those of us who are actually interested in emulating the systems accurately to the way the hardware actually works, this is a godsend. It means that we no longer have to kludge games into booting by forcing the Z80 CPU to jump directly to 0x100 from power-up, which is not accurate to the way a Z80 works by any stretch of the imagination.

And for the record, using the actual Game Boy Color boot ROM in MESS – the only emulator to support it thus far – allows you to use certain GBC features that are not currently emulated by any other emulator, such as the ability to select certain special palettes for mono GB games running on the GBC by holding down the D-pad on boot-up.

I didn’t say any game didn’t work, but almost all emulators will start the game directly without the GBC intro. It’s not for compability, but for more accurate emulation of the startup sequence (both visually and technically).

Anyways, the BIOS of the GBA and NDS has already been dumped a long time ago, and there is simply no need to do it again.

Because it hasn’t been done and it’s interesting? It also means that emulators come another leap forward in accuracy.. This stuff isn’t going to work forever and the life expectancy can only go down with all the “collectors” spraying WD40 and shit into these things.

>You first need to have the boot ROM
>code figured out before you can begin
>to do the really cool stuff like put a Linux

Eh? There is already homebrew for the GB.. you could write an OS for the GB, but what would be the point in that,.. there’s not that much memory etc to waste on things you don’t need.

>like make custom ones to replace it,

The reason these are difficult to dump is that the ROM is embedded inside the same package as something else (like the CPU or something) and doesn’t expose any lines that could be used to read it directly.. so the only way of reading this type of ROM is via something that has access to it; In this case access to the ROM is disabled before any external code can be executed. So it’s “impossible” to read the ROM. Hence you need hacks like this or do like the guy did with the original GB;- Dissolve the casing off of the chip and manually read the bits from the ROM with a microscope. Not much fun eh?

>that will give expanded/new functionality.

You can’t replace this ROM, it’s embedded in the chip! you don’t need to replace it either.. you can load your own code from the cartridge bus.

Of course this hack is pointless. Gameboy emulators work perfectly, and making gameboy games does not require knowledge of the boot ROM.

However, that boot ROM is information, and even useless information can’t sit around forever before someone will try to reverse-engineer it, just to prove that it can be done.

Also, as others have said, the concepts used here can be applied to other electronics, and I suspect that some badly-engineered DRM chips may be feeling the effects of this sooner or later, as clock speeds climb.